top | item 42285356

(no title)

Did you look into Scrypted? It is OSS. With HomeKit (which is how I use it) it is also E2EE. I’m not sure if their app is E2EE though, I only use HomeKit.

It’s pretty good and has an extensive ecosystem. The dev can be a bit… feisty though.

It’s very performant and easy to setup. I don’t use the NVR features as I already have an NVR, I essentially just use it for HomeKit integration of my cameras + doorbell.

https://github.com/koush/scrypted

discuss

arrdalan|1 year ago

I'm not familiar with Scrypted unfortunately. But thanks for the pointer. I'll have to study it to understand its security and privacy implications. I skimmed the docs very quickly but couldn't find info on their use of encryption.

About HomeKit: yes, HomeKit uses iCloud end-to-end encryption (https://support.apple.com/en-us/102651) and is certainly superior to those systems that don't use encryption at all or just use encryption between the device and their servers. But Privastead has two advantages:

1) Privastead uses MLS for end-to-end encryption, which provides forward secrecy and post-compromise security. iCloud's end-to-end encryption does not. So what does that mean? This is from the link I included earlier:

"If you lose access to your account, only you can recover this data, using your device passcode or password, recovery contact, or recovery key."

If an attacker manages to access your password, recovery key, etc., they'll be able to decrypt all your videos (assuming they have recorded all your encrypted videos). Such an attack is not possible in MLS. Similar to the Signal protocol, MLS uses double ratchet and there is not a single password, recovery code, key, etc. that can decrypt everything.

2) The HomeKit framework and iCloud end-to-end encryption are not fully open source as far as I know. Therefore, we simply have to trust what Apple says about their security and privacy implications. That might be okay for some users, but not others. Privastead is and intends to remain fully open source. IMO, being open source is a critical component of any security/privacy solution that would like to gain users' trust.

cvwright|1 year ago

I’m not sure that 1) is such a win for MLS here.

If I lose my phone, I want to get all my security footage back by entering my passphrase etc on my new phone.

In other words, I want the “encrypted cloud storage” security model from [1], not the encrypted messaging security model from Signal etc.

[1] https://eprint.iacr.org/2024/989

amluto|1 year ago

> It is OSS.

Barely. A lot of functionality is gated behind the NVR plugin, which is closed-source and fairly expensive.

> easy to setup

In my experience, it’s easy to set up. But it’s extremely configurable in all the wrong ways and quite difficult to configure in the ways that one might actually want to configure. And the front end is not fantastic IMO: event filtering is extremely weak and scrubbing is bizarre.

corytheboyd|1 year ago

> But it’s extremely configurable in all the wrong ways

Damn that feels exactly like my experience with Zoneminder. I’m sure it is decent software under the hood, but the UX is downright hostile to anyone who just wants to get IP cameras to do very basic motion detection to record some full resolution footage, which feels like the major, obvious use case that should be optimized for.

I am thankful for OSS existing in this realm, but why do so many solutions make the same mistakes? Am I crazy in thinking that a good out of the box experience is important? Is some critical part of the formula locked behind private walls? Something else? Genuinely curious.

unknown|1 year ago

[deleted]